Fortigate Traffic Shaping 60

FortiOS™ Handbook - Traffic Shaping
VERSION 6.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE
https://video.fortinet.com
FORTINET KNOWLEDGE BASE
http://kb.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTINET COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING AND CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com/
FORTIGUARD CENTER
https://fortiguard.com
FORTICAST
http://forticast.fortinet.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
June 5, 2018
FortiOS™ Handbook - Traffic Shaping
01-600-481098-20180605
TABLE OF CONTENTS
Change log 5
Introduction 6
What's new in FortiOS 6.0 6
The purpose of traffic shaping 7
QoS 7
Traffic policing 8
Bandwidth guarantee, limit, and priority interactions 9
FortiGate traffic 10
Through traffic 10
Calculation and regulation of packet rates 12
Important considerations 14
Traffic shaping methods 17
Traffic shaping options 17
Shared policy traffic shaping 18
Per policy 18
For all policies using a traffic shaper 18
Maximum and guaranteed bandwidth 19
Traffic priority 19
Traffic shaping policy order 19
Traffic shaping policy configuration settings 20
VLAN, VDOM, and virtual interfaces 21
Shared traffic shaper configuration settings 21
Shared traffic shaper per policy example 22
Per-IP traffic shaping 23
Per-IP traffic shaping configuration settings 23
Adding a per-IP traffic shaper to a traffic shaping policy 24
Application control shaping 26
Example 27
Reverse direction traffic shaping 28
Setting the reverse direction only 29
Enabling traffic shaping in the security policy 29
Scheduling traffic shaping policies 30
ToS priority 30
ToS in FortiOS 31
Traffic shaping units of measurement 31
Interface-based traffic shaping 32
Internet services support 35
Differentiated services 37
DSCP examples 38
Example 39
Example 40
Example 40
Example 41
Traffic mapping 42
Traffic shaper monitor 43
Examples 45
QoS using priority from security policies 45
Sample configuration 46
QoS using priority from ToS or DiffServ 49
Sample configuration 50
Example setup for VoIP 50
Creating the traffic shapers 50
Alternate method of enabling traffic shaping in the security policy 55
Troubleshooting traffic shaping 56
Interface diagnosis 56
Traffic shaper diagnose commands 56
ToS command 56
Shared traffic shaper 57
Per-IP traffic shaper 57
Packet loss with statistics on traffic shapers 57
Packet lost with the debug flow 58
Session list details with dual traffic shaper 58
Change log
Date Change description
March 29, 2018 FortiOS 6.0 document release. See "What's new in FortiOS 6.0" on page 6.
Traffic Shaping for FortiOS 6.0.0 5

Fortinet Technologies Inc.
Introduction
The following chapters are included in this document:
The purpose of traffic shaping describes traffic shaping theories and QoS.
Traffic shaping methods lists different methods of applying traffic shaping within FortiOS, and explains how to
use Type of Service (ToS) and Differentiated Services (DiffServ).
Examples provides basic application scenarios for traffic shapers.
Troubleshooting traffic shaping lists diagnose commands that you can use to determine if traffic shapers are
working correctly.
What's new in FortiOS 6.0
The following list contains new traffic shaping features added in FortiOS 6.0. Click on a link to navigate to that
section for further information.
l "Interface-based traffic shaping" on page 32

l "Internet services support" on page 35

The purpose of traffic shaping
With the ever-increasing demands on network systems for a number of protocols, including email, HTTP traffic
both internally and externally to the Internet, voice over IP, FTP, and more, slow traffic is becoming a reality.
Important traffic may even be dropped or slowed to an unusable speed. Web traffic delays can result in a loss of
revenue for businesses. Traffic shaping attempts to normalize traffic peaks and bursts to prioritize certain flows
over others. There's a physical limitation to the amount of data that can be buffered and to the length of time it
can be buffered.
FortiGate devices provide Quality of Service (QoS) by applying bandwidth limits and prioritization. You can use
traffic shaping to adjust how a FortiGate allocates resources to different types of traffic to improve performance
and stability of latency sensitive or bandwidth intensive network applications.
Traffic shaping, or traffic management, controls the bandwidth available and sets the priority of traffic processed
by the policy to control the volume of traffic for a specific period (bandwidth throttling) or rate the traffic is sent
(rate limiting).
Traffic shaping attempts to normalize traffic peaks and bursts to prioritize certain flows over others. But there is a
physical limitation to the amount of data which can be buffered and to the length of time. Once these thresholds
are surpassed, frames and packets are dropped, and sessions are affected in other ways.
A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose potential loss is less
disadvantageous. This means that you accept certain sacrifices in performance and stability on low-priority traffic,
to increase or guarantee performance and stability on high-priority traffic.
If, for example, you're applying bandwidth limitations to certain flows, you must accept the fact that these
sessions can be limited and therefore negatively impacted.
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic shaping isn't effective
during periods when traffic exceeds the capacity of the FortiGate. Because packets must be received by the
FortiGate before they're subject to traffic shaping, if the FortiGate can't process all of the traffic it receives, then
dropped packets, delays, and latency are likely to occur.
To ensure that traffic shaping is working at its best, make sure that the interface Ethernet statistics show no
errors, collisions, or buffer overruns.
Accelerated interfaces (NPx network processors and CE) affect traffic shaping. For more information, see the
FortiOS Hardware Acceleration guide.
QoS
Quality of Service (QoS) is the capability to adjust some quality aspects of your overall network traffic. This can
include such techniques as priority-based queuing and traffic policing. Because bandwidth is finite and because
some types of traffic are slow, jitter or packet loss sensitive, bandwidth intensive, or operation critical, QoS can be
a useful tool for optimizing the performance of various applications on your network.
Before implementing QoS, you should first identify the types of traffic that are important to your organization, the
types of traffic that use high amounts of bandwidth, and the types of traffic that are sensitive to latency or packet
loss.

Traffic policing The purpose of traffic shaping
For example, a company might want to guarantee sufficient bandwidth for revenue producing e-commerce traffic.
They need to ensure that transactions can be completed and that clients don't experience service delays and
interruptions. At the same time, the company may need to ensure low latency for voice over IP (VoIP) traffic used
by sales and customer support, while traffic latency and bursts may be less critical to the success of other network
applications such as long term, resumable file transfers. Many organizations discover that QoS is especially
important for managing their voice and streaming multimedia traffic. These types of traffic can rapidly consume
bandwidth and are sensitive to latency.
Discovering the needs and relative importance of each traffic type on your network helps you to design an
appropriate overall approach, including how you to configure each available QoS component technique. Some
organizations discover that they only need to configure bandwidth limits for some services. Other organizations
determine that they need to fully configure interface and security policy bandwidth limits for all services, and
prioritize queuing of critical services relative to traffic rate.
You can implement QoS on FortiGate devices using the following techniques:
Technique Description
Traffic policing Drops packets that don't conform to bandwidth limitations
Ensures that the traffic may consume bandwidth at least at the guaranteed
rate by assigning a greater priority queue if the guarantee isn't being met.
Traffic shaping Also ensures that the traffic can't consume bandwidth greater than the
maximum at any given instance in time. Flows greater than the maximum
rate are subject to traffic policing.
Queuing Transmits packets in the order of their assigned priority queue for that
physical interface. All traffic in a higher priority traffic queue must be
completely transmitted before traffic in lower priority queues is transmitted.
When you're deciding how to configure QoS techniques, it can be helpful to know when FortiGate devices employ
each technique in the overall traffic processing flow, and the considerations that arise from those mechanisms.
Traffic policing
A FortiGate begins to process traffic as it arrives (ingress) and departs (egress) on an interface. In later phases of
network processing, such as enforcing maximum bandwidth use on sessions handled by a security policy, if the
current rate for the destination interface or traffic regulated by that security policy is too high, the FortiGate may
drop the packet. Time spent on prior processing, such as web filtering, decryption, or IPS, is often wasted on
packets that aren't forwarded. This applies to VLAN interfaces and physical interfaces.
You can prevent this wasted effort on ingress by configuring the FortiGate to preemptively drop excess packets
when they're received at the source interface, before most other traffic processing is performed:
config system interface
edit <interface_name>
set inbandwidth <limit>
next
end
8 Traffic Shaping for FortiOS 6.0.0

The purpose of traffic shaping Bandwidth guarantee, limit, and priority interactions
where <limit> is the bandwidth limit for incoming traffic, in kbps. Excess packets are dropped. If
inbandwidth is 0, the rate isn't limited.
A similar CLI command is available that can be performed on egress:

set outbandwidth <limit>
next
end
As with ingress, setting the rate to 0 (zero) sets the rate to unlimited.
Rate limiting traffic accepted by the interface allows you to restrict incoming traffic to rates that, while no longer
the full capacity of the interface, at the traffic shaping point in the processing are more likely to result in
acceptable rates of outgoing traffic per destination interface or all security policies. This conserves FortiGate
processing resources for those packets that are more likely to be viable completely to the point of egress.
Excessive traffic policing can degrade network performance rather than improve it. For more information about
factors that affect traffic policing, see Important considerations on page 14.
NP6 interfaces on FortiGate devices don’t fully support bandwidth limits. When you set the outbandwidth setting
on an NP6 interface, the FortiGate implements a lower bandwidth limit than the one that you configure. The
inbandwidth setting has no effect on an NP6 interface, unless you disable NP offloading for the traffic on that
interface.
Bandwidth guarantee, limit, and priority interactions
After packet acceptance, the FortiGate classifies traffic and may apply traffic policing at additional points during
processing. It may also apply QoS techniques, such as prioritization and traffic shaping. Traffic shaping consists
of a mixture of traffic policing to enforce bandwidth limits, and priority queue adjustment to assist packets in
achieving the guaranteed rate.
If you have configured prioritization, the FortiGate prioritizes egressing packets by distributing them among FIFO
(first in, first out) queues associated with each possible priority number. Each physical interface has six priority
queues. Virtual interfaces don't have their own queues, and instead use the priority queues of the physical
interface to which they are bound.
Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue.
However, for reasons described below, you may observe that your traffic uses only a subset of those six queues.
Some traffic may always use a certain queue number. Some queuing may vary by the packet rate or mixture of
services. Some queue numbers may be used only by through traffic for which you have configured traffic shaping
in the security policy that applies to that traffic session. For example:
l Administrative access traffic will always use queue 0.

l Traffic matching security policies without traffic shaping may use queue 0, queue 1, or queue 2. Which queue will
be used depends on the priority value you have configured for packets with that Type of Service (ToS) bit value, if
you have configured ToS-based priorities.
l Traffic matching security policies with traffic shaping may use any queue. Which queue will be used depends on
whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed
bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.

FortiGate traffic The purpose of traffic shaping
l If the global tos-based-priority is low (3), the priority in a traffic shaper is medium (2) and a packet flows though a
policy that refers to the traffic shaper, the packet will be assigned the priority defined by the traffic shaper, in this
case medium (2).
Prioritization and traffic shaping behavior varies according to your configuration, the service types and traffic
volumes, and whether the traffic is through traffic, or the traffic originates from or terminates at the FortiGate
itself.
FortiGate traffic
Security policies don't apply to administrative access to the FortiGate through HTTPS or SSH, or IPsec tunnel
negotiations, and therefore FortiGate devices don't apply traffic shaping. Such traffic also uses the highest
priority queue, queue 0. In other words, packet priority = 0.
Exceptions to this rule include traffic types that are connections related to a session governed by a security policy.
For example, if you enabled scanning by FortiGuard antivirus, traffic from the sender technically terminates at the
FortiGate proxy that scans that traffic type. The FortiGate initiates a second connection that transmits scanned
content to its destination. Because the second connection’s traffic is technically originating from the FortiGate
proxy and therefore the FortiGate itself, it uses the highest priority queue, queue 0. However, this connection is
logically associated with through traffic, and is therefore subject to possible bandwidth enforcement and
guarantees in its governing security policy. In this way, it behaves partly like other through traffic.
Through traffic
For traffic passing through the FortiGate, the method a FortiGate uses to determine the priority queue varies by
whether traffic shaping is enabled or not. Packets may or may not use a priority queue directly or indirectly derived
from the Type of Service (ToS) bit — sometimes used instead with differentiated services — in the packet’s IP
header.
If traffic shaping isn't applied to a security policy, the FortiGate doesn't limit or guarantee bandwidth, and traffic
for that session uses the priority queue determined directly by matching the ToS bit in its header with the
configured values:
config system global
set traffic-priority tos
set traffic-priority-level {high | low | medium}
end
or, if you have configured a priority specifically for that ToS bit value:
config system tos-based-priority
edit <id_int>
set tos [0-15]
set priority {high | low | medium}
end
where tos is the value of the ToS bit in the packet’s IP header, and high has a priority value of 0 and low is 2.
Priority values configured in the second location will override the global ToS-based priority. In other words, packet
priority = ToS-based priority.

The purpose of traffic shaping Through traffic
For example, you might specify that packets with a ToS bit value of 2 should use queue 0, which is the highest
priority queue:
edit 15
set tos 2
set priority high
next
end
If traffic shaping is applied to a security policy using a shared shaper, the FortiGate may subject packets to traffic
policing or priority queue increases in an effort to meet bandwidth guarantees configured in the shaper.
For example, you might create a shared traffic shaper, where high has a priority value of 1 and low is 3, and
<rate> is the bandwidth limit in kilobits per second:
config firewall shaper traffic-shaper
edit <shaper_name>
...
set priority {high | medium | low}
set maximum-bandwidth <rate>
set guaranteed-bandwidth <rate>
end
Note that it's also necessary to create a traffic shaping policy and set it to use the shared traffic shaper:
config firewall shaping-policy
edit <policy ID>
...
set srcaddr <source address>
set dstaddr <destination address>
set service <service name>
set dstintf <destination interface list>
set traffic-shaper <shaper_name>
end
The following diagram shows traffic queuing as the packet rate increases.

Through traffic The purpose of traffic shaping
l If the current packet rate is less than guaranteed bandwidth, packets use priority queue 0: packet priority = 0.
l If the current packet rate is greater than guaranteed bandwidth but less than maximum bandwidth, the FortiGate
assigns a priority queue by adding the numerical value of the security policy-based priority, where the value of High
is 1, and Low is 3, with the numerical value of the ToS-based priority, where high has a priority value of 0 and low
is 2. Because the two values are added, depending on the configured ToS-based priorities, packets in this category
could use queues from queue 1 to queue 5. In other words: packet priority = ToS-based priority + security policy-
based priority.
l If you enabled traffic shaping in the security policy, and the security policy’s Traffic Priority is Low (value 3), and the
priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total packet priority
of 4, and use priority queue 4.
l If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
Calculation and regulation of packet rates

Packet rates specified for Maximum Bandwidth or Guaranteed Bandwidth are:
rate = amount / time
where rate is expressed in Kbps
Burst size at any given instant can't exceed the amount configured for maximum bandwidth. Packets that exceed
this are dropped. Packets deduct from the amount of bandwidth available to subsequent packets and available
bandwidth regenerates at a fixed rate. As a result, bandwidth available to a given packet may be less than the
configured rate, down to a minimum of 0 Kbps.
Rate calculation and behavior can alternatively be described using the token bucket metaphor, where:
l A traffic flow has an associated bucket, which represents burst size bounds, and is the size of your configured
bandwidth limit.
l The bucket receives tokens, which represent available bandwidth, at the fixed configured rate.
l As time passes, tokens are added to the bucket, up to the capacity of the bucket. Excess tokens are discarded.
l When a packet arrives, the packet must deduct bandwidth tokens from the bucket equal to its packet size in order to
egress.
l Packets can't egress if there are insufficient tokens to pay for its egress. These nonconforming packets are dropped.
Bursts aren't redistributed over a longer interval, so bursts are propagated rather than smoothed, although their
peak size is limited.
Maximum burst size is the capacity of the bucket (the configured bandwidth limit). Actual size varies by the
current number of tokens in the bucket, which may be less than bucket capacity, due to deductions from previous
packets and the fixed rate at which tokens accumulate. A depleted bucket refills at the rate of your configured
bandwidth limit. Bursts can't borrow tokens from other time intervals. This behavior is illustrated in the graph
below.

The purpose of traffic shaping Through traffic
Bursts and bandwidth limits over time
By limiting traffic peaks and token regeneration in this way, the available bandwidth at any given moment may be
less than bucket capacity, but your limit on the total amount per time interval is ensured. Total bandwidth use
during each interval of one second is, at most, the integral of your configured rate.
You may observe that external clients, such as FTP or BitTorrent clients, initially report rates between Maximum
Bandwidth and twice that of Maximum Bandwidth, depending on the size of their initial burst. This is notably so
when a connection is initiated following a period of no network activity. The apparent discrepancy in rates is
caused by a difference in perspective when delimiting time intervals. A burst from the client may initially consume
all tokens in the bucket, and before the end of one second, as the bucket regenerates, be allowed to consume
almost another bucket’s worth of bandwidth. From the perspective of the client, this constitutes one time interval.
From the perspective of the FortiGate, however, the bucket can't accumulate tokens while full. Therefore, the
time interval for token regeneration begins after the initial burst, and doesn't contain the burst. These different
points of reference result in an initial discrepancy equal to the size of the burst — the client’s rate contains it, but
the FortiGate device’s rate doesn't. If the connection is sustained to its limit and time progresses over an
increasing number of intervals, however, this discrepancy decreases in importance relative to the bandwidth total,
and the client’s reported rate will eventually approach that of the configured rate limit for the FortiGate device.
For example, the Maximum Bandwidth might be 50 Kbps and there has been no network activity for one or more
seconds. The bucket is full. A burst from an FTP client immediately consumes 50 kilobits. Because the bucket
completely regenerates over one second, by the time almost another second has elapsed from the initial burst,
traffic can consume another 49.999 kilobits, for a total of 99.999 kilobits between the two points in time. From the
vantage point of an external FTP client regulated by this bandwidth limit, it therefore initially appears that the
bandwidth limit is 99.999 Kbps, almost twice the configured limit of 50 Kbps. However, bucket capacity only
regenerates at your configured rate of 50 Kbps, and so the connection can only consume a maximum of
50 kilobits during each second thereafter. The result is that as bandwidth consumption is averaged over an
increasing number of time intervals, each of which are limited to 50 Kbps, the effects of the first interval’s doubled

Important considerations The purpose of traffic shaping
bandwidth size diminishes proportionately, and the client’s reported rate eventually approaches your configured
rate limit. The following table shows the effects of a 50 Kbps limit on client reported rates.
Total size transferred (kilobits) Time (seconds) Rate reported by client (Kbps)
99.999 (50 + 49.999) 1 99.999
149.999 2 74.999
199.999 3 66.666
249.999 4 62.499
299.999 5 59.998
349.999 6 58.333
... ... ...
Guaranteed Bandwidth can also be described using a token bucket metaphor. However, because this feature
attempts to achieve or exceed a rate rather than limit it, the FortiGate doesn't discard non-conforming packets, as
it does for Maximum Bandwidth. Instead, when the flow doesn't achieve the rate, the FortiGate increases the
packets’ priority queue, in an effort to increase the rate.
Guaranteed and maximum bandwidth rates apply to the bidirectional total for all sessions controlled by the
security policy. For example, an FTP connection may entail two separate connections for the data and control
portion of the session. Some packets may be reply traffic rather than initiating traffic. All packets for both
connections are counted when calculating the packet rate for comparison with the guaranteed and maximum
bandwidth rate.
Important considerations
By implementing Quality of Service (QoS), you trade some performance and/or stability from traffic X by
discarding packets or introducing latency in order to improve performance and stability of traffic Y. The best traffic
shaping configuration for your network balances the needs of each traffic flow by considering not only the needs
of your particular organization, but also the resiliency and other characteristics of each particular service.
For example, you may find that web browsing traffic is both more resistant to interruptions or latency and less
business critical than UDP or VoIP traffic, and so you might implement less restrictive QoS measures on UDP or
VoIP traffic than on HTTP traffic.
An appropriate QoS configuration also takes into account the physical limits of your network devices and the
interactions of the QoS mechanisms described in "Bandwidth guarantee, limit, and priority interactions" on page
9.
You may choose to configure QoS differently based on the hardware limits of your network and FortiGate. Traffic
shaping may be less beneficial in extremely high-volume situations where traffic exceeds a network interface’s or
your FortiGate model’s overall physical capacity. A FortiGate must have enough resources, such as memory and
processing power, to process all traffic it receives, and to process it at the required rate. If it doesn't have this
capacity, then dropped packets and increased latency are likely to occur. For example, if the total amount of

The purpose of traffic shaping Important considerations
memory available for queuing on a physical interface is frequently exceeded by your network’s typical packet
rates, frames and packets must be dropped. In such a situation, you might choose to implement QoS using a
higher model FortiGate, or to configure an incoming bandwidth limit on each interface.
Incorrect traffic shaping configurations can actually further degrade certain network flows, because excessive
discarding of packets or increased latency beyond points that can be gracefully handled by that protocol can
create additional overhead at upper layers of the network, which may be attempting to recover from these errors.
For example, a configuration might be too restrictive on the bandwidth accepted by an interface, and may
therefore drop too many packets, resulting in the inability to complete or maintain a SIP call.
To optimize traffic shaping performance, first ensure that the Ethernet statistics for the network interface are
clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to
see the traffic statistics:
diagnose hardware deviceinfo nic <port_name>
If these aren't clean, adjust the FortiGate and settings of routers or other network devices that are connected to
the FortiGate. For more information, see "Troubleshooting traffic shaping" on page 56.
Once Ethernet statistics are clean, you may want to use only some of the available FortiGate QoS techniques, or
configure them differently, based on the nature of FortiGate QoS mechanisms described in "Bandwidth
guarantee, limit, and priority interactions" on page 9.
Configuration considerations include:
l For maximum bandwidth limits, ensuring that bandwidth limits at the source interface and security policy aren't too
low, which can cause the FortiGate to discard an excessive number of packets.
l For prioritization, considering the ratios of how packets are distributed between available queues, and which queue
is used by which types of services. If you assign most packets to the same priority queue, it negates the effects of
configuring prioritization. If you assign many high bandwidth services to high priority queues, lower priority queues
may be starved for bandwidth and experience increased or indefinite latency. For example, you may want to
prioritize a latency-sensitive service, such as SIP, over a bandwidth-intensive service such as FTP. Consider also
that bandwidth guarantees can affect the queue distribution, assigning packets to queue 0 instead of their typical
queue in high-volume situations.
l You may or may not want to guarantee bandwidth, because it causes the FortiGate to assign packets to queue 0 if
the guaranteed packet rate isn't currently being met. Comparing queuing behavior for lower-bandwidth and higher-
bandwidth situations, this would mean that effects of prioritization only become visible as traffic volumes rise and
exceed their guarantees. Because of this, you might want only some services to use bandwidth guarantees, to
avoid the possibility that in high-volume situations all traffic uses the same queue, thereby negating the effects of
configuring prioritization.
l For prioritization, configure prioritization for all through traffic. You may want to configure prioritization by either
ToS-based priority or security policy priority, but not both. This simplifies analysis and troubleshooting.
Traffic subject to both security policy and ToS-based priorities use a combined priority from both of those parts
of the configuration, while traffic subject to only one of the prioritization methods will use only that priority. If
you configure both methods, or if you configure either method for only a subset of your traffic, packets for
which a combined priority applies will frequently receive a lower priority queue than packets for which you have
only configured one priority method, or for which you have not configured prioritization.
For example, if both ToS-based priority and security policy priority both dictate that a packet should receive a
medium priority, in the absence of bandwidth guarantees, a packet uses queue 3, while if only ToS-based
priority is configured, the packet uses queue 1, and if only security policy-based priority is configured, the
packet uses queue 2. If no prioritization is configured, the packet uses queue 0.

Important considerations The purpose of traffic shaping
For example alternative QoS implementations that illustrate these considerations, see "Examples" on page 45.

Traffic shaping methods
There are three types of traffic shaping configurations in FortiOS. Each type has a specific function, and all types
can be used together in varying configurations. Policy shaping allows you to define the maximum bandwidth and
the guaranteed bandwidth set for a security policy. Per-IP traffic shaping allows you to define traffic control on a
more granular level. Application traffic shaping goes further, allowing traffic controls on specific applications or
application groupings.
This section describes the types of traffic shapers and how to configure them in the GUI and the CLI.
To configure traffic shaping in the GUI, you must enable Traffic Shaping in
System > Feature Visibility.
Traffic shaping options
When you configure traffic shaping for your network, you can use the following methods to control the flow of
network traffic to ensure that the traffic you want gets through, while also limiting bandwidth for less important
traffic or traffic that consumes a lot of bandwidth.
l Shared policy shaping - bandwidth management by security policies

l Per-IP shaping - bandwidth management by user IP addresses
l Application control shaping - bandwidth management by application
Traffic shapers allow you to define how traffic will flow by setting the traffic priority, bandwidth, and DSCP
options. You create shared policy traffic shapers and per-IP traffic shapers under Policy & Objects > Traffic
Shapers.
You then enable traffic shapers within the traffic shaping policy, under Policy & Objects > Traffic Shaping Policy.
You can apply application control shaping to any traffic shaping policy, under Policy & Objects > Traffic Shaping
Policy. You can control traffic by application category, application, and URL category.
To apply application control shaping, you must first enable application control at the
policy level, under Policy & Objects > IPv4 Policy.
Traffic shaping policies allow you to apply traffic shaping measures to any traffic that matches your criteria. The
criteria must specify a source, destination, service, and outgoing interface. Also, you must enable at least one
type of traffic shaper to create a traffic shaping policy.
You can enable traffic shaping options on a FortiGate at the same time within a single traffic shaping policy.
Generally, the hierarchy for traffic shapers in FortiOS is:
l Application control traffic shaper

l Shared policy traffic shaper
l Per-IP traffic shaper

Shared policy traffic shaping Traffic shaping methods
Within this hierarchy, if an application control list has a traffic shaper defined, it has precedence over any other
policy traffic shaper. For example, the Facebook application control example in Application control shaping on
page 26 supersedes any security policy enabled traffic shapers. While the Facebook application may reach its
maximum bandwidth, the user can still have the bandwidth room available from the shared traffic shaper and, if
enabled, the per-IP traffic shaper.
Equally, any security policy shared traffic shaper has precedence over any per-IP traffic shaper. However, traffic
that exceeds any of these traffic shapers is dropped. For example, the policy traffic shaper takes effect first, but if
the per-IP traffic shaper limit is reached first, the traffic for that user is dropped even if the shared traffic shaper
limit for the policy hasn't been exceeded.
Shared policy traffic shaping
Traffic shaping by security policy allows you to control the maximum and guaranteed throughput for any security
policies specified in the traffic shaping policy.
When you configure a traffic shaper, you can apply bandwidth shaping per policy or for all policies. Depending on
your selection, the FortiGate applies the traffic shaping rules differently.
By default, shared traffic shapers apply traffic shaping evenly to all policies
that use. For Per policy and All policies using this shaper options to
appear in the GUI, you must first enable it in the CLI. Go to Policy & Objects
> Traffic Shapers and right-click on the traffic shaper to edit it in the CLI.
Enter the following CLI commands:
set per-policy enable
end
Per policy
When you select a shared traffic shaper to be per policy, the FortiGate applies the traffic shaping rules to each
security policy individually.
For example, if a traffic shaper is set to per policy with a maximum bandwidth of 1000 Kb/s and applied to four
security policies, each policy has the same maximum bandwidth of 1000 Kb/s.
Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization
rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not
operating in transparent mode.
For all policies using a traffic shaper

When you select a shared shaper to apply to all policies -All Policies using this shaper - the FortiGate applies
the traffic shaping rules to all policies using the same shaper. For example, a traffic shaper is set to be per policy
with a maximum bandwidth of 1000 Kbps. There are four security policies monitoring traffic through the
FortiGate. All four have the traffic shaper enabled. Each security policy must share the defined 1000 Kbps, and is
set on a first come, first served basis. For example, if policy 1 uses 800 Kbps, the remaining three must share 200
Kbps. As policy 1 uses less bandwidth, it's opened up to the other policies to use as required. Once used, any
other policies encounters latency until free bandwidth opens from a policy currently in use.

Traffic shaping methods Shared policy traffic shaping
Maximum and guaranteed bandwidth

The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy.
Depending on the service or the users included for the security policy, this number can provide a larger or smaller
throughput depending on the priority you set for the traffic shaper.
The Maximum Bandwidth can be set to a value of between 1 and 16776000 Kbps. The GUI gives an error if
any value outside of this range is used, but in the CLI a value of 0 can be entered. Setting maximum-
bandwidth to 0 (zero) prevents any traffic from going through the policy.
The guaranteed bandwidth ensures there's a consistent reserved bandwidth available for a given service or user.
When setting the guaranteed bandwidth, ensure that the value is significantly less than the bandwidth capacity of
the interface, otherwise no other traffic will pass through the interface or very little and potentially causing
unwanted latency.
Traffic priority
Select a traffic priority of high, medium, or low, so the FortiGate manages the relative priorities of different types
of traffic. For example, a policy for connecting to a secure web server that needs to support e-commerce traffic
should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall
provides bandwidth to low-priority connections only when bandwidth isn't needed for high-priority connections.
Be sure to enable traffic shaping on all security policies. If you don't apply a traffic shaping rule to a policy, the
policy is set to high priority by default. Distribute security policies over all three priority queues.
Traffic shaping policy order

You must also place the traffic shaping policies in the correct order in the traffic shaping policy list page to get the
desired results. It's necessary to arrange your traffic shaping policies into a sequence that places your more
granular policies above general Internet access policies. For example, you should place any policies with
application control shaping at the top of the traffic shaping policy list, followed by more general traffic shaping
policies with shared policy shapers and per-IP traffic shapers.
The policy list page is located under Policy & Objects > Traffic Shaping Policy. To change the order of the policies,
select the far left column to move the policy up or down. Make sure that the Seq.# column is showing on your
menu so you can easily verify a policy's position in the sequence.
The following example shows how to order your policies. The high priority VoIP traffic shaping policy is placed at
the top of the list, followed by restrictive policies to control streaming media, and your general Internet access
policy last.

Traffic shaping policy configuration settings

To configure a traffic shaping policy, go to Policy & Objects > Traffic Shaping Policy and select the Create New +
sign to create a new traffic shaping policy.
Set the Matching Criteria to the default options shown below or specify the criteria so that it matches a specific
security policy.
Source *all (default)
Destination *all (default)
Service *ALL (default)
- Choose an application category to apply traffic shaping to a specific

Application Category
category of applications. For example, P2P, Social.Media, or VoIP.
Application - Choose an application to specify which applications you want to apply

traffic shaping to. For example, YouTube, Vimeo, or Facebook.
- Choose a URL category to block a subset of applications. For example,

URL Category
potentially liable websites, security risks, or bandwidth consuming services.
Set Apply shaper to the following:
Outgoing Interface *any (Set this to the external interface that you want to apply traffic
shaping to. For example, wan1 is often used.)
Choose one of the default shared traffic shapers: guarantee-100kbps, high-

priority, medium-priority, low-priority, shared-1M-pipe or create your own
Shared Shaper under Policy & Objects > Traffic Shapers. Shared traffic shapers share the
allotted bandwidth with any security policies using them (unless they're set
to per-policy in the CLI). This affects uploads or outbound traffic.
Reverse Shaper Choose one of the default shared traffic shapers: guarantee-100kbps, high-
priority, medium-priority, low-priority, shared-1M-pipe, or create your own
under Policy & Objects > Traffic Shapers. This affects downloads or
inbound traffic.
Enable a per-IP traffic shaper if you want to apply traffic shaping by

bandwidth management by user IP addresses. You create traffic shapers
Per-IP Shaper
under Policy & Objects > Traffic Shapers. Per-IP shapers affect downloads
and uploads.
Enable this policy Policies are enabled by default, but if you want to disable a traffic shaping
policy de-select it here.
To create the traffic shaping policy - CLI:


Traffic shaping methods Shared policy traffic shaping
edit <shaping_policy_ID>
set srcaddr <source_address>
set dstaddr <destination_address>
set service <service_name>
set schedule {always | none}
application <application_name>
app-category <application_category_ID_list>
url-category <URL_category_ID_list>
dstintf <destination_interface_list>
traffic-shaper <shared_shaper_name>
traffic-shaper-reverse <reverse_traffic_shaper_name>
per-ip-shaper <per_IP_shaper_name>
end
VLAN, VDOM, and virtual interfaces

Policy-based traffic shaping doesn't use queues directly. It shapes the traffic and if the packet is allowed by the
security policy, a priority is assigned. That priority controls what queue the packet is put in upon egress. VLANs,
VDOMs, aggregate ports, and other virtual devices don't have queues and, as such, traffic is sent directly to the
underlying physical device where it's queued and affected by the physical ports. This is also the case with IPsec
connections.
Shared traffic shaper configuration settings

To configure a shared traffic shaper go to Policy & Objects > Traffic Shapers and select the Create New +
sign to create a new traffic shaper.
Type Select Shared.
Name Enter a name for the traffic shaper.
Apply Shaper When selecting a traffic shaper to be Per Policy, the FortiGate applies the
traffic shaping rules defined to each security policy individually. For
example, if a traffic shaper is set to per policy, with a maximum bandwidth
of 1000 Kbps, any security policies that have that traffic shaper enabled get
1000 Kbps of bandwidth each.
When selecting a traffic shaper to apply to all policies ( For All Policies
Using This Shaper), the FortiGate applies the traffic shaping rules to all
policies using the same traffic shaper. For example, the traffic shaper is set
to be per policy with a maximum bandwidth of 1000 Kbps. There are four
security policies monitoring traffic through the FortiGate. All four have the
traffic shaper enabled. Each security policy must share the defined 1000
Kbps, and is set on a first come, first served basis. For example, if policy 1
uses 800 Kbps, the remaining three must share 200 Kbps. As policy 1 uses
less bandwidth, that open bandwidth becomes available to the other
policies to use as required. Once used, any other policies encounter latency
until free bandwidth opens from a policy currently in use.

Select level of importance Priority so the FortiGate manages the relative

priorities of different types of traffic. For example, a policy for connecting to
a secure web server needed to support e-commerce traffic should be
assigned a high traffic priority. Less important services should be assigned
Traffic Priority
a low priority.
If you don't apply any traffic shaping priority, the priority is set to high
priority, by default.
Maximum Bandwidth The maximum bandwidth instructs the security policy what the largest
amount of traffic allowed using the policy. Depending on the service or the
users included for the security policy, this number provides a larger or
smaller throughput depending on the priority you set for the traffic shaper.
Setting Maximum Bandwidth to 0 provides unlimited bandwidth.
The guaranteed bandwidth ensures that a consistent reserved bandwidth

is available for a given service or user. Ensure that you set the bandwidth
to a value that's significantly less than the bandwidth capacity of the
Guaranteed Bandwidth interface. Otherwise, little to no traffic passes through the interface and
potentially causes unwanted latency.
Setting Guaranteed Bandwidth to 0 provides unlimited bandwidth.
DSCP Enter the number for the DSCP value. You can use the FortiGate
Differentiated Services feature to change the DSCP (Differentiated
Services Code Point) value for all packets accepted by a policy. The
network can use these DSCP values to classify, mark, shape, and police
traffic, and to perform intelligent queuing. DSCP features are applied to
traffic by configuring the routers on your network to apply different service
levels to packets depending on the DSCP value of the packet. For more
information, see Traffic shaping methods.
Shared traffic shaper per policy example

The following steps create a per policy traffic shaper called “Throughput” with a maximum traffic amount of
720,000 Kbps, and a guaranteed traffic of 150,000 Kbps with a high traffic priority.
To create the shared traffic shaper - GUI:
1. Go to Policy & Objects > Traffic Shapers and select the Create New + sign.
2. Set the Type to Shared.
3. Enter the Name Throughput.
4. Set the Apply shaper field to Per Policy.

Traffic shaping methods Per-IP traffic shaping
By default, shared traffic shapers apply traffic shaping evenly to all policies
that use it. For Per policy and All policies using this shaper options to
appear in the GUI, you must first enable it in the CLI. Go to Policy & Objects
> Traffic Shapers and right-click on the traffic shaper to edit it in the CLI.
Enter the following CLI commands:
end
5. Set the Traffic Priority to High.

6. Select the Maximum Bandwidth check box and enter the value 150000.
7. Select the Guaranteed Bandwidth check box and enter the value 120000.
8. Select OK.
To create the shared shaper - CLI:

edit Throughput
set maximum-bandwidth 150000
set guaranteed-bandwidth 120000
set priority high
end
Per-IP traffic shaping
Traffic shaping by IP allows you to apply traffic shaping to all source IP addresses in the security policy. In
addition to controlling the maximum bandwidth users of a selected policy, you can also define the maximum
number of concurrent sessions.
Per-IP traffic shaping allows you to limit the behavior of every member of a policy to avoid having one user use all
of the available bandwidth. The bandwidth is shared equally within a group. Using a per-IP traffic shaper avoids
having to create multiple policies for every user you want to apply a traffic shaper. Per-IP traffic shaping isn't
supported over NP2 interfaces.
Per-IP traffic shaping configuration settings

To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers > Per-IP and select the Create
New + sign.
Type Select Per-IP.
Name Enter a name for the per-IP traffic shaper.

Per-IP traffic shaping Traffic shaping methods
Maximum Bandwidth The maximum bandwidth instructs the security policy what the largest
amount of traffic allowed using the policy. Depending on the service or the
users included for the security policy, this number can provide a larger or
smaller throughput depending on the priority you set for the traffic shaper.
Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.
Maximum Concurrent
Enter the maximum allowed concurrent connections.
Connections
Forward DSCP Enter the number for the DSCP value. You can use the FortiGate
Reverse DSCP Differentiated Services feature to change the DSCP (Differentiated
Services Code Point) value for all packets accepted by a policy. The
network can use these DSCP values to classify, mark, shape, and police
traffic, and to perform intelligent queuing. DSCP features are applied to
traffic by configuring the routers on your network to apply different service
levels to packets depending on the DSCP value of the packet. For more
information, see Traffic shaping methods.
Example
The following steps create a per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000
Kbps, and the number of concurrent sessions of 200.
To create the shared shaper - GUI:
1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” Icon.
2. Set the Type to Per-IP.
3. Enter the Name Accounting.
4. Enable the Maximum Bandwidth and enter the value 720000.
5. Enable the Maximum Concurrent Sessions and enter the value 200.
6. Select OK.
To create the shared shaper - CLI:

config firewall shaper per-ip-shaper
edit Accounting
set max100-bandwidth 720000
set max-concurrent-session 200
end
Adding a per-IP traffic shaper to a traffic shaping policy

Per-IP traffic shaping is supported by IPv6 security policies. You can add any per-IP traffic shaper to an IPv6
security policy in the CLI.
Example
The following steps show you how to add an existing per-IP traffic shaper to an IPv6 security policy. Make sure
that you have already created a per-IP traffic shaper under Policy & Objects > Traffic Shapers.

Traffic shaping methods Per-IP traffic shaping
To add a per-IP traffic shaper to an IPv6 security policy - GUI:
1. Go to Policy & Objects > IPv6 Policy and click the Create New + icon to create an Internet access policy.
2. Set the following:
Name Enter a descriptive name
Incoming Interface Internal
Source address All
Outgoing interface wan1
Destination address all
Schedule Always
Service Any
Action Accept
3. Select OK.
4. Go to Policy & Objects > Traffic Shaping Policy and the Create New + icon to create a new traffic shaping policy.
5. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the
following:
Source all
Service ALL
Application Category -
Application -
URL Category -
6. Under Apply shaper, set the following:
Outgoing interface any
(The outgoing interface should match the outgoing interface of the security
policy you want to apply traffic shaping to.)
Shared Shaper -
Reverse Shaper -
Per-IP Shaper Enable Per-IP Shaper and select your traffic traffic shaper from the drop-
down menu.
Enable this policy Enable this policy

Application control shaping Traffic shaping methods
7. Select OK.
8. On the policy list page, move the per-IP traffic shaper to the top of the list by clicking on the far left column to drag
and drop it.
There are two methods to configure traffic shaping in the CLI. You can add a per-IP traffic shaper directly to an
IPv6 security policy, or you can add a per-IP shaper to a traffic shaping policy. The second method will allow you
to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first
method requires that you enable traffic shaping individually in all policies using the same two interfaces.
To add a per-IP traffic shaper to an IPv6 security policy- CLI:

config firewall policy6
edit <security_policy_ID_number>
set per-ip-shaper <per_IP_shaper_name>
end
To add a per-IP traffic shaper to an IPv6 traffic shaping policy - CLI:

edit 1 <security_policy_ID_number>
set ip-version 6
set srcaddr <source_address>
set dstaddr <destination_address>
set service <service_name>
set dstintf <outgoing_interface>
set per-ip-shaper <per_IP_shaper_name>
end
Application control shaping
Traffic shaping is also possible for specific applications. Application control shaping works in conjunction with a
shared traffic shaper or per-IP traffic shaper. You must create a traffic shaper with the bandwidth settings you
would like to enforce or edit one of the predefined traffic shapers in the Policy & Objects > Traffic Shapers menu.
Traffic shaping policies allow you to enable these traffic shapers and configure application control options. In the
traffic shaping policy, you can set an Application Category, Application, and URL Category. You must also
specify which security policies to apply your traffic shaper to by setting the Matching Criteria.You can create a
traffic shaping policy in the Policy & Objects > Traffic Shaping Policy section.
For application control shaping to work, application control must be enabled

in a security policy, through Policy & Objects > IPv4 Policy or Policy
& Objects > IPv6 Policy under Security Profiles.
Also, application control traffic shaping affects only applications that are set
to pass in the Security Profiles > Application Control menu.
For more information about application control, see the FortiOS Security Profiles Guide.

Traffic shaping methods Application control shaping
Example
This example sets the traffic shaping definition for Facebook to a medium priority, a default traffic shaper.
To add traffic shaping for Facebook - GUI:
1. Go to Policy & Objects > IPv4 Policy to create a general Internet access security policy.
2. Select the Create New + icon in the upper right corner of the screen to create a new security policy (or edit an
existing Internet access policy).
3. Set the following to enable application control within a security policy:
Name <Enter a descriptive name.>
Incoming Interface Internal
Source address All
Outgoing interface wan1
Schedule Always
Service Any
Action Accept
Application Control Under Security Profiles, enable Application Control and select the default
application control profile.
4. Select OK.
5. Go to Policy & Objects > Traffic Shaping Policy and the Create New + icon to create a new traffic shaping policy.
6. To apply your traffic shaping policy to the security policy you created earlier, set the Matching Criteria to the
following:
Source all
Service ALL
Application Category Social.Media
Application Facebook
URL Category Social Networking

Reverse direction traffic shaping Traffic shaping methods
Outgoing interface any
(The outgoing interface should match the outgoing interface of the security
policy you want to apply shaping to.)
Shared Shaper Enable Shared Shaper and select medium-priority from the drop-down
menu.
Reverse Shaper Enable Shared Shaper and select medium-priority from the drop-down
menu.
Enable this policy Enable this policy.
8. Select OK.
9. On the policy list page, move the Facebook traffic shaping policy to the top of the list by clicking on the far left
column to drag and drop it.
To create a traffic shaping policy for Facebook - CLI:

edit 1 <shaping_policy_ID_number>
set srcaddr all
set dstaddr all
set service ALL
set application 15832
set app-category 23 <Social.Media>
set url-category 37 <Social Networking>
set dstintf wan1 <outgoing_interface>
set traffic-shaper medium-priority
set reverse-traffic-shaper medium-priority
end
Reverse direction traffic shaping
The traffic shaper you select in the traffic shaping policy (shared traffic shaper) affects the traffic in the direction
defined in the policy. For example, if the source port is lan and the destination is wan1, the traffic shaping affects
the flow in this direction only — affecting the upload speed of the outbound traffic. By selecting Shared Traffic
Shaper Reverse Direction, you can define the traffic shaper for the policy in the opposite direction to affect the
download speed of the inbound traffic. In this example, from wan 1 to lan.
To add a reverse shaper - GUI:
1. Go to Policy & Objects > Traffic Shaping Policy.

2. Click Create New or select an existing policy and click Edit.
3. Set the Matching Criteria to match the interfaces of any security policies you want to affect.
4. Navigate to the Apply shaper section, enable the Shared Shaper, and select a traffic shaper from the drop-
down menu.
5. Enable the Reverse Shaper and select a traffic shaper from the drop-down menu.
6. Select OK.

Traffic shaping methods Enabling traffic shaping in the security policy
Setting the reverse direction only

There may be instances where you only need traffic shaping for incoming connections, which is in the reverse
direction of typical traffic shapers.
To add a reverse traffic shaper - GUI:
1. Go to Policy & Objects > Traffic Shaping Policy.

2. Click Create New or select an existing policy and click Edit.
3. Set the Matching Criteria to match the interfaces of any security policies you want to affect.
4. Navigate to the Apply shaper section, enable the Reverse Shaper and select a traffic shaper from the drop-
down menu.
5. Select OK.
To configure a reverse-only traffic shaper in a traffic shaping policy - CLI:

edit <policy_number>
set reverse-traffic-shaper medium-priority
end
To configure a reverse-only shaper within a security policy - CLI:

config firewall policy
...
set traffic-shaper-reverse <shaper_name>
end
Enabling traffic shaping in the security policy
Historically, FortiOS traffic shapers have always been enabled within a security policy. This is no longer the
easiest way to apply traffic shapers, since in FortiOS 5.4 traffic shaping is now configured in the traffic shaping
policy section, under Policy & Objects > Traffic Shaping Policy. However, you can still enable traffic shapers within
a security policy using CLI commands and it will then appear in the GUI afterwards. The traffic shapers always go
into effect after any DoS detection policies, and before any routing or packet scanning occurs.
Traffic shaping is also supported for IPv6 policies.
This isn't the recommended method, as it's easier to keep track of and order your
traffic shaping policies if you configure them within a traffic shaping policy.
To enable traffic shaping within a security policy - CLI:

...
set traffic-shaper <traffic_shaper_name>

Scheduling traffic shaping policies Traffic shaping methods
set reverse-traffic-shaper <traffic_shaper_name>

set per-ip-shaper <per_IP_traffic_shaper_name>
end
Shared traffic shapers affect outbound traffic heading to a destination. To affect inbound traffic, or downloads,
enable the Reverse Shaper also. For more information, see "Reverse direction traffic shaping" on page 28.
Scheduling traffic shaping policies
In FortiOS 5.6.3, a new scheduling feature was added to traffic shaping policies to apply different traffic shaping
profiles at different times. This "schedule" attribute is currently only available using the CLI, and you can use
this feature to apply a recurring schedule to your traffic shaping policies. The default recurring schedule options
available are always or none. You can also create new schedules or schedule groups under Policy & Objects >
Schedules. This allows you to create custom recurring or one-time schedules that can then be applied to your
traffic shaping policies using the CLI commands below.
To schedule traffic shaping policies - CLI:

set schedule {always | none}
end
ToS priority
Type of service (ToS) is an 8-bit field in the IP header that allows you to determine how the IP datagram should
be delivered, using criteria of delay, throughput, priority, reliability, and cost. Each quality helps gateways
determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The
lowest priority ToS is 0, and the highest is 7 when bits 3, 4, and 5 are all set to 1. There are other seldom used or
reserved bits that aren't listed here.
Together these bits are the ToS variable of the tos-based-priority command. The router tries to match
the ToS of the datagram to the ToS on one of the possible routes to the destination. If there's no match, the
datagram is sent over a zero ToS route. Using increased quality may increase the cost of delivery because better
performance may consume limited network resources.
Each bit represents the priority as defined in RFC 1349:
l 1000 - minimize delay

l 0100 - maximize throughput
l 0010 - maximize reliability
l 0001 - minimize monetary cost
To set the ToS value - CLI:

edit <sequence_number>
set tos [0-15]
set priority {high | medium | low}
end

Traffic shaping methods ToS priority
Where tos is the value of the type of service bit in the IP datagram header with a value between 0 and 15, and
priority is the priority of this type of service priority. These priority levels conform to the firewall traffic shaping
priorities, as defined in RFC 1349.
For example, if you want to configure a FortiGate so that reliability is the first priority, set the ToS value to 4.
edit 1
set tos 4
set priority high
end
For a list of ToS values and their DSCP equivalents see Traffic shaping methods on page 17.
Example
edit 1
set tos 1
set priority low
next
edit 4
set tos 4
set priority medium
next
edit 6
set tos 6
set priority high
next
end
ToS in FortiOS
Traffic shaping and ToS follow the following sequence:
l The CLI command tos-based-priority acts as a tos-to-priority mapping. FortiOS maps the ToS to a
priority when it receives a packet.
l Traffic shaping settings adjust a packet’s priority according to the traffic.
l Deliver the packet based on its priority.
Traffic shaping units of measurement

Bandwidth speeds are measured in Kilobits per second (Kbps), and Bytes that are sent and received are
measured in megabytes (MB). Occasionally this can cause confusion depending on whether your ISP uses
kilobits per second (Kbps), kilobytes per second (KBps), megabits per second (Mbps), or gigabits per second
(Gbps).
Download speeds
l 1 kilobyte per second (KBps) = 8 kilobits per second (Kbps)
l 1 megabit per second (Mbps) = 1,000,000 bits per second (bps)
l 1 gigabit per second (Gbps) = 1,000 (Mbps)

Interface-based traffic shaping Traffic shaping methods
File sizes
l 1 megabyte (MB) = 1,024 kilobytes (KB)
l 1 gigabyte (GB) = 1,024 megabytes (MB) or 1,048,576 kilobytes (KB)
To change a traffic shaper's unit of measurement - CLI:

edit <traffic_shaper_name>
set bandwidth-unit {kbps | mbps | gbps}
end
Interface-based traffic shaping
You can enable traffic shaping on an interface. This allows you to enforce bandwidth limits for individual
interfaces, by percentage. To configure interface-based traffic shaping, you must classify traffic in a traffic
shaping policy, assign bandwidth percentages in a traffic shaping profile, and apply the traffic shaping profile as
the egress traffic shaper on an interface.
Currently, only egress traffic shaping is available. To achieve ingress traffic shaping,
you can typically configure egress traffic shaping on the alternate interface. For
example, if you want to control inbound traffic on the WAN interface of the FortiGate,
you can apply outbound traffic shaping to the LAN interface.
Classifying traffic
You can use a traffic shaping policy to classify traffic. Edit a traffic shaping policy using the config firewall
shaping-policy command, and set the class-id command. A FortiGate stores the class-id on the
kernel session, so that it can quickly categorize any traffic that matches the criteria you define in the traffic
shaping policy.
To set the traffic class - CLI:

...
set class-id <value>
next
end
where class-id is a value in the range of 2 to 31.
Assigning bandwidth percentages

You can assign bandwidth percentages, using the config firewall shaping-profile command. Set a
bandwidth guarantee using the guaranteed-bandwidth-percentage command and set a maximum
bandwidth using the maximum-bandwidth-percentage.
To assign bandwidth percentages in a traffic shaping profile - CLI:

config firewall shaping-profile

Traffic shaping methods Interface-based traffic shaping
edit <egress_shaper_name>
set default-class-id 2
config shaping-entries
edit 1
set class-id 2
set priority low {low | medium | high}
set guaranteed-bandwidth-percentage 3
set maximum-bandwidth-percentage 50
next
edit 3
set class-id 5
set priority low {low | medium | high}
set guaranteed-bandwidth-percentage 3
set maximum-bandwidth-percentage 50
next
end
end
where you set the following variables:
Variable Description
default- The default class ID handles unclassified packets, including all local traffic. You must
class-id define the default class ID, since unclassified traffic must be controlled.
Note that any traffic class that's defined in the traffic shaping policy, but isn't defined
in the traffic shaping profile, is classified as part of the default class ID.
class-id The class-id is a value in the range of 2 to 31.
priority The priority assigned (low, medium, high) to the class also plays a critical role in
the bandwidth algorithm. Basically, priority decides which class can win when multiple
classes compete for the available bandwidth on the interface.
guaranteed- The guaranteed-bandwidth-percentage is a value in the range of 0 to 100

bandwidth- percent. The guaranteed bandwidth reserves a set amount of bandwidth for the class
percentage of traffic you select.
For example, if you set the guaranteed-bandwidth-percentage to 3, then

the FortiGate assigns at least 3% of the total bandwidth on the interface to that traffic
class (as long as the current traffic volume of this class is more than 3% of the total
volume). If the current traffic volume of this class is less than 3% of the total
bandwidth of the interface, then it's not shaped.
maximum- The maximum-bandwidth-percentage is a value in the range of 0 to 100

bandwidth- percent. The maximum bandwidth defines the hard limit for traffic in that class. The
percentage class never has more bandwidth than the amount of bandwidth you define. You can
assign 100% as the value, so that the class can potentially take all of the bandwidth
of the designated interface.

Important requirements:
l The guaranteed-bandwidth-percentage of the default class (in this
example, class-id 2) must be greater than or equal to 1%. This ensures that
local traffic always has some guaranteed bandwidth. However, the
guaranteed-bandwidth-percentage of other classes can be 0.
l The guaranteed-bandwidth-percentage must not exceed the value
of the maximum-bandwidth-percentage.
l The sum of guaranteed-bandwidth-percentage of all entries in one
profile must not exceed 100%.
Apply the traffic shaping profile

You can apply the egress traffic shaper to an interface, using the config system interface command to
edit the interface of your choice. Then, set the inbandwidth and outbandwidth values to the total amount
of bandwidth that's available on the interface. Set the egress-shaping-profile to the traffic shaping
profile you want to apply.
To apply the egress shaper to an interface - CLI:

edit <interface-name>
set outbandwidth <limit>
set egress-shaping-profile <egress_shaper_name>
next
end
where the inbandwidth and outbandwidth value is the total amount of bandwidth that's available on the
interface, from a value in the range of 0 to 1677600 kbps.
You should set the egress-shaping-profile value to the traffic shaping profile you want to apply.
Example of competing priority classes

The following example can help you understand how the bandwidth algorithm uses both the class ID, and priority
settings to determine which class wins when there are competing traffic classes. These examples are based on
the assumption that the traffic volume of each class is larger than its allocated bandwidth.
NOTE: If a class has a small traffic volume, other classes can borrow unused
bandwidth from it. In the following example, if class 2 has 100 MB of traffic and
class 3 has 1 GB of traffic, then you should set the bandwidth for class 2 to 100
MB and for class 3 to 900 MB.
guaranteed-bandwidth-per-
Class Priority maximum-bandwidth-percentage (%)
centage (%)
2 high 20% 100%
3 low 20% 100%

Traffic shaping methods Interface-based traffic shaping
If the profile configuration matches the table above, and the profile is applied to an egress interface with a total
bandwidth of 1 GB, and both class 2 and class 3 have 1 GB of generated traffic, the results are the following:
Class Priority Actual bandwidth
2 high 80% of 1 GB (800 MB)
3 low 20% of 1 GB (200 MB)
The reason for the results are that both class 2 and 3 are assigned guaranteed bandwidth first, which is 200 MB
each (20% of 1 GB). The remaining bandwidth of 600 MB is then allocated to class 2, because it has a higher
priority.
The algorithm can get a bit more complex when you assign multiple classes with the same priority. When the
same priority classes compete for available bandwidth, the allocation to each class is proportional to its
guaranteed-bandwidth-percentage.
Here's a slightly more complex example:
guaranteed-bandwidth-per-
Class Priority maximum-bandwidth-percentage (%)
centage (%)
2 high 20% 100%
3 low 20% 100%
4 high 30% 100%
If the profile configuration matches the table above, and is attached to an egress interface with a total bandwidth
of 1 GB, and classes 2, 3, and 4 have 1 GB of traffic generated, the results are the following:
Class Priority Actual bandwidth
2 high 200MB + 120MB = 320MB
3 low 200MB + 0 = 200MB
4 high 300MB + 180MB = 480MB
The reason for the results are that all classes are assigned the guaranteed bandwidth first, which is 200 MB, 200
MB, and 300 MB respectively. The remaining bandwidth of 300 MB is then allocated to class 2 and class 4,
because of their higher priority settings. The allocation for the remaining 300MB is proportional to their
guaranteed bandwidth. In this case, it is 120 MB for class 2 (300 MB * 20 / 50) and 180MB for class 4 (300 MB *
30 / 50).
Internet services support

The Internet Service Database (ISDB) and IP Reputation Database (IRDB) enhance traffic shaping criteria for
traffic shaping policies.
To use Internet services in a traffic shaping policy, you must set the Source or Destination to one of the Internet
services listed in the Internet Service tab. Internet service sources include CloudServer-AWS, Proxy-

Proxy.Server, SearchBot-Bing, and more. Internet service destinations offer a wide range of services, such as
Github-Web, Salesforce-SMTP, and Netflix-DNS.
The following image of the Traffic Shaping Policy page shows you where to find the Internet Service tab:
To create a traffic shaping policy that uses Internet services - GUI:
1. Create a new traffic shaping policy under Policy & Objects > Traffic Shaping Policy.
2. Add the Internet Service of your choice to the Source and Destination by selecting from the Internet Service
tab on the far right.
3. Set the Outgoing Interface to the egress port that traffic passes through.
To create a traffic shaping policy that uses Internet services - CLI:

set internet-service {enable | disable}
set internet-service-id <service_ID>
set internet-service-custom <custom_Internet_service_name>
set internet-service-src {enable | disable}
set internet-service-src-id <Internet_service_source_ID>
set internet-service-src-custom <custom_Internet_service_source_name>
next
end
where you set the following variables:

Traffic shaping methods Differentiated services
Option Description
internet-service Enables or disables the use of Internet services for this policy. If
enabled, the FortiGate uses the Internet service destination
address and service.
internet-service-id The Internet service ID. For example:
l 65536 Google-Others
l 65537 Google-Web
internet-service-custom Enter a custom Internet service name.
Enables or disables the use of Internet services in source for

internet-service-src this policy. If enabled, the FortiGate uses the Internet Services
source address.
internet-service-src-id The Internet service source ID. For example:
l 65536 Google-Others
l 65537 Google-Web
internet-service-src-custom The custom Internet service source name.
NOTE: This custom name must already be configured.
For more information about ISDB support in Firewall policies, see the Firewall Handbook or Networking
Handbook.
Differentiated services
Differentiated services (DiffServ) describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end
QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to
another. By configuring differentiated services, you configure your network to deliver particular levels of service
for different packets based on the QoS specified by each packet.
DiffServ is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service
discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can
understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the
Traffic Class field in the IPv6 header.
You can use the FortiGate DiffServ feature to change the DSCP (Differentiated Services Code Point) value for all
packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic,
and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network
to apply different service levels to packets depending on the DSCP value of the packet.
If the differentiated services feature isn't enabled, the FortiGate treats traffic as if the DSCP value is set to the
default (00) and won't change the DSCP field of IP packets. DSCP values are also not applied to traffic if the
traffic originates from a FortiGate itself.

DSCP examples Traffic shaping methods
The FortiGate applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in
the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:
l 4 for IPv4
l 5 for a length of five words
l 00 for the default DSCP value
You can change the packet's DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) and
enable each direction separately and configure it in the security policy.
Changes to DSCP values in a security policy effect new sessions. If traffic must use the new DSCP values
immediately, clear all existing sessions.
To enable DSCP - CLI:

...
set diffserv-forward enable
set diffservcode-forward <binary_integer>
set diffserv-reverse enable
set diffservcode-rev <binary_integer>
end
For more information on the different DCSP commands, see the examples below and the CLI Reference. If you
only set diffserv-forward and diffserv-reverse without setting the corresponding diffvercode
values, the FortiGate resets the bits to zero.
For a list of DSCP values and their ToS equivalents see Differentiated services on page 37. DSCP values can also
be defined within a shared traffic shaper as a single value, and per-IP traffic shaper for forward and reverse
directions.
DSCP examples
For all the following DSCP examples, the FortiGate and client PC configuration is the following diagram and used
firewall-based DSCP configurations.

Traffic shaping methods DSCP examples
P
or
U
t6
se
r
1
P
or
or
tiG
t3
at
e
W
A
A
N
2
F
In
or
te
tiG
rn
a
at
l
e
B
U
se
r
2
Example
In this example, an ICMP ping is executed between User 1 and FortiGate B, through a FortiGate. DSCP is
disabled on FortiGate B, and FortiGate A contains the following configuration:
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
set diffservcode-forward 101110
end
As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic. The binary DSCP
values used map to the following hexadecimal.
ToS field values, which are observable by a sniffer (also known as a packet tracer):
l DSCP 000000 is TOS field 0x00

l DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
If you perform an ICMP ping between User 1 and User 2, the following output illustrates the IP headers for the
request and the reply by sniffers on each of the network interfaces on the FortiGate. The right-most two digits of
each IP header are the ToS field, which contains the DSCP value.
User 1 User 2
4500 4500 45b8 45b8 45b8 45b8
4500 4500 4500 4500 4500 4500

DSCP examples Traffic shaping methods
Example
In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is
disabled on FortiGate B, and FortiGate A contains the following configuration:
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY"
set diffserv-rev enable
set diffservcode-rev 101111
end
As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. The binary DSCP
values in map to the following hexadecimal ToS field values, which are observable by a sniffer:

l DSCP 101111 is TOS field 0xbc
If you perform an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for
the request and the reply by sniffers on each of the network interfaces on FortiGate A and FortiGate B. The right-
most two digits of each IP header are the ToS field, which contains the DSCP value.
User 1 User 2
4500 4500 45b8 45b8 45b8 45b8
45bc 45bc 4500 4500 4500 4500
Example
In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is
enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A
contains the following configuration:
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
end

Traffic shaping methods DSCP examples
FortiGate B contains the following configuration:

edit 2
set srcintf wan2
set dstintf internal
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
end
As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, and FortiGate B
changes the DSCP field only for reply traffic. The binary DSCP values in this configuration map to the following
hexadecimal ToS field values:

l DSCP 101101 is TOS field 0xb4
If you perform an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for
the request and the reply by sniffers on each of the network interfaces on FortiGate A and FortiGate B. The right-
most two digits of each IP header are the ToS field, which contains the DSCP value.
User 1 User 2
4500 4500 45b8 45b8 45b8 45b8
45bc 45bc 45b4 45b4 4500 4500
Example
In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. DSCP is
enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A
contains the following configuration:
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
end
FortiGate B contains the following configuration:

Traffic mapping Traffic shaping methods

edit 2
set srcintf wan2
set dstintf internal
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
end
As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B
changes the DSCP field only for reply traffic which passes through its internal interface. Since the example traffic
doesn't pass through the internal interface, FortiGate B doesn't mark the packets. The binary DSCP values in this
configuration map to the following hexadecimal ToS field values:

l DSCP 101101 is TOS field 0xb4, which is configured on FortiGate B but not observed by the sniffer because the
example traffic originates from the FortiGate itself, and therefore doesn't match that security policy.
If you sent HTTPS or DNS traffic from User 1 to FortiGate B, the following would illustrate the IP headers
observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces.
The right-most two digits of each IP header are the ToS field, which contains the DSCP value.
User 1 User 2
4500 4500 45b8 45b8
45bc 45bc 4500 4500
Traffic mapping
There are two types of traffic mapping: Type of Service (ToS) and Differentiated Services Code Point (DSCP).
You can only use one method at a time. ToS is the default method. You can set the traffic mapping type using the
CLI.
To configure traffic mapping - CLI:

set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high }
end
Mapping of DSCP and ToS hexadecimal values for QoS
Service class DSCP bits DSCP value ToS value ToS hexidecimal
Network Control 111000 56-63 224 0xE0

Traffic shaping methods Traffic shaper monitor
Service class DSCP bits DSCP value ToS value ToS hexidecimal
Internetwork
Control 110000 48-55 192 0xC0
Critical - Voice 101110 46 184 0xB8

Data (RTP)
101000 40 160 0xA0
Flash Override 100010 34 136 0x88

Video Data
100100 36 144 0x90
100110 38 152 0x98
100000 32 128 0x80
Flash Voice 011010 26 104 0x68

Control
011100 28 112 0x70
011110 30 120 0x78
011000 24 96 0x60
Immediate 010010 18 72 0x48

Deterministic
(SNA) 010100 20 80 0x50
010110 22 88 0x58
010000 16 64 0x40
Priority 001010 10 40 0x28

Controlled Load
001100 12 48 0x30
001110 14 56 0x38
001000 8 32 0x20
Routine - Best 000000 0 0 0x00

Effort
Routine - Penalty
Box 000010 2 8 0x08
Traffic shaper monitor
You can view statistical information about traffic shapers and their bandwidth from FortiView > Traffic Shaping.

Traffic shaper monitor Traffic shaping methods
Refresh the information on the page.
Table View shows the following columns by default: Shaper, Bytes

(Sent/Received), Sessions, Bandwidth, or Dropped Bytes. For more display
options, right-click on the column header.
Bubble Chart shows you which resources consume the most bandwidth.
Double-click on a traffic shaper to view more details. Determine whether
more granular shaping is required by looking at the bandwidth usage by
sources, destinations, applications, policies, and sessions.
FortiView Settings include the following options:

l Include Local traffic (Realtime Only)
l Include Unscanned Applications (Applications View Only)
l Auto update realtime visualizations
l Interval (seconds)
l Threat Weight Settings

Examples
While it is possible to configure QoS using a combination of security policies and ToS based priorities, and to
distribute traffic over all six of the possible queues for each physical interface, the results of those configurations
can be more difficult to analyze due to their complexity. In those cases, prioritization behavior can vary by several
factors, including traffic volume, type of service (ToS) or differentiated services (DiffServ) markings, and
correlation of session to a security policy.
The following simple examples illustrate QoS configurations using either prioritization by security policy, or
prioritization by ToS bit, but not both. The examples also assume you are not configuring traffic shaping for
interfaces that receive hardware acceleration from network processing units (NPU).
QoS using priority from security policies
Configurations implementing QoS using the priority values defined in the security policies are capable of applying
bandwidth limits and guarantees.
In addition to configuring traffic shaping, you may also choose to limit the bandwidth accepted by each interface.
This can be useful in scenarios where the bandwidth received on source interfaces frequently exceeds the
maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will
get dropped later in the process, you may choose to preemptively police the traffic.
If you decide to implement QoS using security policies rather than ToS bit, the FortiGate applies QoS to all
packets controlled by the policy. This type of control is less granular than prioritization by ToS bit, but has the
benefits of correlating quality of service to a security policy. This correlation enables you to distribute traffic over
up to four of the possible 6 priority queues (queue 0 to queue 3), doesn't require other devices in your network to
set or respect the ToS bit, and enables you to configure bandwidth limits and guarantees.
In the following example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by
sessions controlled by the security policy, and then configure prioritized queuing on the destination interface
based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to
achieve the guaranteed packet rate.
To limit bandwidth accepted by an interface - CLI:

next
end
where <rate_int> is the bandwidth limit in Kbps. Excess packets are dropped.
To configure bandwidth guarantees, limits, and priorities - GUI:
1. Go to Policy & Objects > Traffic Shapers and select the Create New + sign.
2. Select Shared or Per-IP.
3. Enter a name for the traffic shaper.

QoS using priority from security policies Examples
4. Select the Traffic Priority.

High has a priority value of 1, Medium is 2, and Low is 3. While the current packet rate is below Guaranteed
Bandwidth, the FortiGate disregards this setting, and instead uses priority queue.
5. Enable Max Bandwidth and enter a value.
Packets greater than this rate are discarded.
6. Enable Guaranteed Bandwidth and enter a value, if any.
Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If
this isn't the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable
bandwidth guarantees.
7. Enable DSCP and set a value.
8. Select OK.
Per-IP shapers also include the option to set a maximum number of concurrent

connections and to set both Forward DSCP and Reverse DSCP.
Sample configuration
This sample configuration limits ingressing bandwidth to 500 Kbps. It also applies separate traffic shapers to FTP
and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy
bandwidth limit of 200 Kbps.
All egressing FTP traffic greater than 10 Kbps is subject to a low priority queue (queue 3), while all egressing
HTTP traffic greater than 100 Kbps is subject to a medium priority queue (queue 2). That is, unless FTP traffic
rates are lower than their guaranteed rate, and web traffic rates are greater than their guaranteed rate, FTP traffic
is lower priority than web traffic.
Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0).
To set the inbandwidth limits - CLI:
This setting is only available in the CLI.

edit wan1
set inbandwidth 500
next
end
Create traffic shapers for FTP and HTTP.
To configure an FTP shaper - GUI:
1. Go to Policy & Objects > Traffic Shapers, and select the Create New “Plus” icon.
2. Select Shared.
3. Enter FTP for the name of the traffic shaper.
4. Set Traffic Priority to Low.
5. Select the Guaranteed Bandwidth checkbox and enter 10 Kbps.
6. Select the Maximum Bandwidth checkbox and enter 500 Kbps.

Examples QoS using priority from security policies
7. Select OK.
8. Select the FTP traffic shaper, right-click it, and select Edit in CLI. Type the following command:
set per-policy
end
To configure an HTTP shaper - GUI:
1. Select the Create New “Plus” icon.

2. Set Type to Shared.
3. Enter HTTP for the name of the traffic shaper.
4. Set Traffic Priority to Medium.
5. Select the Guaranteed Bandwidth checkbox and enter 100 Kbps.
6. Select the Maximum Bandwidth checkbox and enter 200 Kbps.
7. Select OK.
8. Select the HTTP traffic shaper, right-click it, and select Edit in CLI. Type the following command:
set per-policy
end
To add the FTP shaper to a traffic shaping policy - GUI:
1. Go to Policy & Objects > Traffic Shaping Policy and click Create New to create a traffic shaping policy for
FTP.
2. Set the Matching Criteria to the following:
Source all
Service FTP
Outgoing interface any (The outgoing interface should match the outgoing interface of the
security policy you wish to apply shaping to.)
Shared Shaper Enable Shared Shaper and select FTP from the drop-down menu.
Reverse Shaper Enable Shared Shaper and select FTP from the drop-down menu.
4. Select OK.
To add the HTTP shaper to a traffic shaping policy - GUI:
1. Go to Policy & Objects > Traffic Shaping Policy and click Create New to create a traffic shaping policy for
HTTP.
2. Set the Matching Criteria to the following:

QoS using priority from security policies Examples
Source all
Service HTTP
Outgoing interface any (The outgoing interface should match the outgoing interface of the
security policy you want to apply traffic shaping to.)
Shared Shaper Enable Shared Shaper and select HTTP from the drop-down menu.
Reverse Shaper Enable Shared Shaper and select HTTP from the drop-down menu.
4. Select OK.
5. On the policy list page, move the FTP traffic shaping policy to the top of the list by clicking the far left column to
drag and drop it. The HTTP traffic shaping policy should be below the FTP policy, and more general Internet
access policies should be at the bottom of the policy list.
To configure the FTP and HTTP traffic shapers - CLI:

edit FTP
set priority low
next
edit HTTP
set priority medium
end
To add each traffic shaper to a traffic shaping policy - CLI:

set srcaddr all
set dstaddr all
set service ALL
set traffic-shaper FTP
next
set srcaddr all
set dstaddr all
set service ALL
set traffic-shaper HTTP

Examples QoS using priority from ToS or DiffServ
next
move 1 before 2
end
QoS using priority from ToS or DiffServ
Configurations implementing QoS using the priority values defined in either global or specific ToS bit values are
not capable of applying bandwidth limits and guarantees, but are capable of prioritizing traffic at per-packet
levels, rather than uniformly to all services matched by the security policy.
In addition to configuring traffic prioritization, you may also choose to limit bandwidth that's received by each
interface. This can sometimes be useful in scenarios where you want to limit traffic levels, but don't want to
configure traffic shaping within a security policy. This has the benefit of policing traffic at a point before the
FortiGate performs most processing.
Note that if you implement QoS using ToS octet rather than security policies, the FortiGate applies QoS on a
packet-by-packet basis, and priorities may be different for packets and services controlled by the same security
policy. This is more granular control than prioritization by security policies, but has the drawbacks that quality of
service may not be uniform for multiple services controlled by the same security policy, packets only use up to
three of the six possible queues (queue 0 to queue 2), and bandwidth can't be guaranteed. Other devices in your
network must also be able to set or preserve ToS bits.
In this example, we limit the bandwidth accepted by each source interface, and then configure prioritized queuing
on the destination interface based upon the value of the ToS bit located in the IP header of each accepted
packet.
To limit bandwidth accepted by an interface - CLI:

next
end
where <limit> is the bandwidth limit in Kbps. Excess packets are dropped.
To configure the global priority value - CLI:

set tos-based-priority {high | low | medium}
end
where high has a priority value of 0 and low is 2.
If you want to prioritize some ToS bit values differently than the global ToS-based priority, configure the priority
for packets with that ToS bit value using the following commands:
edit <id_int>
set tos [0-15]
set priority {high | low | medium}
next
end

Example setup for VoIP Examples
where and tos is the value of the ToS bit in the packet’s IP header, and high has a priority value of 0 and low is
2. Priority values configured in this location will override the global ToS-based priority.
Sample configuration
This sample configuration limits ingressing bandwidth to 500 Kbps. It also queues egressing traffic based upon
the ToS bit in the IP header of ingressing packets.
Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For ToS bit values 4
and 15, the priorities are specified as medium (value 1) and high (value 0), respectively.
edit wan1
set inbandwidth 500
next
end
set tos-based-priority low
end
edit 4
set tos 4
set priority medium
next
edit 15
set tos 15
set priority high
next
end
Example setup for VoIP
In this example, there are three traffic shaping requirements for a network:
l Voice over IP (VoIP) requires a guaranteed, high-priority for bandwidth for telephone communications.
l FTP bursts must be contained so it doesn't consume any available bandwidth. As such, this traffic needs to be
throttled to a smaller amount.
l A consistent bandwidth requirement is needed for all other email and web-based traffic.
To enable this requirement, you need to create three separate traffic shapers and three traffic shaping policies for
each traffic type.
In this example, the values used aren't recommended values.
Creating the traffic shapers

First create the traffic shapers that define the maximum and guaranteed bandwidth. The shared traffic shapers
are used with some applied per-policy and some applied to all policies, to better control traffic.

Examples Example setup for VoIP
VoIP shaper
The VoIP functionality is a key component to the business as a communication tool and as such requires a
guaranteed bandwidth. This traffic shaper is a high priority traffic shaper.
To create a VoIP shaper - GUI:
1. Go to Policy & Objects > Traffic Shapers and select Create New.

3. Enter the Name voip.
4. Set the Traffic Priority to High.
5. Select Maximum Bandwidth and enter 1000 Kbps.
6. Select Guaranteed Bandwidth and enter 800 Kbps.
7. Select OK.
8. Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:
set per-policy
end
To create a VoIP shaper - CLI:

edit voip
set priority high
end
Setting the traffic shaper to per-policy ensures that regardless of the number of policies that use this traffic
shaper, the defined bandwidth is always the same. At the same time, the bandwidth is continually guaranteed at
800 Kbps but, if available, can be as much as 1000 Kbps. Setting the priority to high ensures that the FortiGate
considers VoIP traffic the most important.
FTP traffic shaper

The FTP traffic shaper sets the maximum bandwidth to use to avoid sudden spikes by sudden uploading or
downloading of large files, and interfering with other more important traffic.
To create a FTP shaper - GUI:
1. Go to Policy & Objects > Traffic Shapers and Create New.

3. Enter the Name ftp.
4. Set the Traffic Priority to Low.
5. Select Maximum Bandwidth and enter 200 Kbps
7. Select OK.

To create a FTP shaper - CLI:

edit ftp
set priority low
end
For this traffic shaper, the maximum and guaranteed bandwidth are set to a low value and to the same value. In
this case, the bandwidth is restricted to a specific amount. Setting the traffic priority to a low value ensures that
more important traffic passes before FTP traffic.
Regular traffic shaper

The regular traffic shaper sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic
such as web and email traffic.
To create a regular traffic shaper - GUI:
1. Go to Policy & Objects > Traffic Shapers and Create New.

3. Enter the Name daily_traffic..
4. Set the Traffic Priority to Medium.
5. Select Maximum Bandwidth and enter 600 Kbps
7. Select OK.
To create a regular traffic shaper - CLI:

edit daily_traffic
set priority medium
end
For this traffic shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kbps. It's also
set per policy, which ensures each security policy for day-to-day business traffic has the same distribution of
bandwidth.
Creating traffic shaping policies

To employ the traffic shapers,create traffic shaping policies that apply to your existing security policy. Create a
separate policy for each service and apply the traffic shaper to the outgoing interface you want to use. For
example, a policy for FTP traffic, a policy for SIP, and so on.
For the following steps, the VoIP traffic shaper is enabled as well as the reverse direction. This ensures that
return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call. The example below shows
how to enable each traffic shaper in a traffic shaping policy.
In this example, the traffic shaping policies will apply traffic shaping to the following security policy:

Incoming interface lan (Internal interface)
Source address All
Outgoing interface WAN1
Destination address All
Schedule always
Service all
Action ACCEPT
To create a VOIP traffic shaping policy- GUI:
1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.
2. Now create a traffic shaping policy that matches the settings you entered for the security policy:
Source All
Destination All
Service All
Application Category VoIP
Application SIP
URL Category Internet Telephony
Outgoing Interface wan1
3. Enable Shared Shaper, select the VoIP traffic shaper that you created in the previous steps.
4. Enable Reverse Shaper, select the VoIP traffic shaper that you created in the previous steps.
5. Select Enable this policy.
6. Select OK.
To create a VOIP traffic shaping policy - CLI:

set srcaddr all
set dstaddr all
set service ALL
set application 34640 <SIP>
set app-category 3 <VoIP>
set url-category 76 <Internet Telephony>
set traffic-shaper voip <high_priority_custom_shaper>
set reverse-traffic-shaper voip <high_priority_custom_shaper>
end

To create an FTP traffic shaping policy - GUI:
2. Now create a traffic shaping policy that matches the settings you entered for your security policy:
Source All
Destination All
Service FTP
3. Enable Shared Shaper, select the FTP shaper created in the previous steps.
4. Enable Reverse Shaper, select the FTP shaper created in the previous steps.
6. Select OK.
To create an FTP traffic shaping policy - CLI:

set srcaddr all
set dstaddr all
set service FTP
set traffic-shaper FTP <low_priority_custom_shaper>
set reverse-traffic-shaper FTP <low_priority_custom_shaper>
end
To create a regular traffic shaping policy - GUI:
2. Now create a traffic shaping policy that matches the settings you entered for your security policy:
Source All
Destination All
Service ALL
3. Enable Shared Shaper, select the medium-priority shaper.

4. Enable Reverse Shaper, select the medium-priority shaper.
6. Select OK.
To create a regular traffic shaping policy - CLI:


set srcaddr all
set dstaddr all
set service ALL
set traffic-shaper medium-priority <default_shaper>
set reverse-traffic-shaper medium-priority <default_shaper>
end
To order your traffic shaping policies - CLI:

move 1 before 2
move 3 below 2
end
Ensure that your high priority SIP/VoIP policy is at the top of the policy list, the low
priority FTP traffic shaper comes second, and the medium priority regular traffic
shaper comes last. Restrictive policies should always go above more general access
policies.
Alternate method of enabling traffic shaping in the security policy

It's also possible to create three separate security policies for each type of traffic (VoIP, FTP, and regular). You
can enable traffic shaping individually within each security policy in the CLI only, like the example shown below:
To enable traffic shaping in the security policy - CLI:

edit 6
set srcintf <internal_interface>
set scraddr all
set dstintf wan1
set dstaddr all
set action accept
set schedule always
set service sip
set traffic-shaper voip
set reverse-traffic-shaper voip
end

Troubleshooting traffic shaping
This chapter outlines some troubleshooting tips and steps to diagnose the traffic shapers and whether they're
working correctly. These diagnose commands include:
l diagnose system tos-based-priority
l diagnose firewall shaper traffic-shaper
l diagnose firewall per-ip-shaper
l diagnose debug flow
Interface diagnosis
To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of
errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the
traffic statistics:
diagnose hardware deviceinfo nic <port_name>
Traffic shaper diagnose commands
There are specific diagnose commands you can use to verify the configuration and flow of traffic, including packet
loss due to the employed traffic shaper.
All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.
ToS command
Use the following command to list command to view information of the ToS lists and traffic:
diagnose system tos-based-priority
This example displays the priority value currently correlated with each possible ToS bit value. Priority values are
displayed in order of their corresponding ToS bit values, which can range between 0 and 15, from lowest ToS bit
value to highest.
For example, if you configured ToS-based priorities, the following appears:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
This reflects that all packets are currently using the same default priority, high (value 0).
If you configured a ToS-based priority of low (value 2) for packets with a ToS bit value of 3, the following
appears:
0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0
This reflects that most packets are using the default priority value, except those with a ToS bit value of 3.

Traffic shaper diagnose commands Troubleshooting traffic shaping
Shared traffic shaper

To view information for the shared traffic shaper for security policies, enter the command:
diagnose firewall shaper traffic-shaper list
The resulting output displays the information on all available traffic shapers. The more traffic shapers that are
available, the longer the list. For example:
name Throughput
maximum-bandwidth 1200000 Kb/sec
guaranteed-bandwidth 50000 Kb/sec
current-bandwidth 0 B/sec
priority 1
packets dropped 0
Additional commands include:

diagnose firewall shaper traffic-shaper state - provides the total number of traffic shapers on
the FortiGate.
diagnose firewall shaper traffic-shaper stats - provides summary statistics on the shapers.
Sample output looks like the following:
shapers 9 ipv4 0 ipv6 0 drops 0
Per-IP traffic shaper

To view information for the per-IP traffic shaper for security policies, enter the command:
diagnose firewall shaper per-ip-shaper list
The resulting output displays the information on all available per-IP traffic shapers. The more traffic shapers that
are available, the longer the list. For example:
name accounting_group
maximum-concurrent-session 55
packet dropped 0
Additional commands include:

diagnose firewall shaper per-ip-shaper state - provides the total number of per-ip traffic
shapers on the FortiGate.
diagnose firewall shaper per-ip-shaper stats - provides summary statistics on the traffic
shapers. Sample output looks like the following:
memory allocated 3 packet dropped: 0
You can also clear the per-ip statistical data to begin a fresh diagnosis using:
diagnose firewall shaper per-ip-shaper clear
Packet loss with statistics on traffic shapers

For each traffic shaper there are counters that allow you to verify if packets have been discarded. To view this
information, enter the diagnose firewall shaper command in the CLI. The results look similar to the
following output:
diagnose firewall shaper traffic-shaper list

Troubleshooting traffic shaping Packet lost with the debug flow
name limit_GB_25_MB_50_LQ
guaranteed-bandwidth 25 Kb/sec
current-bandwidth 51 Kb/sec
priority 3
dropped 1291985
The diagnose command output is different if the diagnose firewall shapershapers are configured either per-policy
or shared between policies.
For per-IP the output is:

diagnose firewall shaper per-ip-shaper list
name accounting_group
maximum-concurrent-session 55
packet dropped 3264220
Packet lost with the debug flow
When using the debug flow diagnostic command, there is a specific message information that a packet has
exceed the diagnose firewall shapershaper limits and therefore discarded:
diagnose debug flow show console enable
diagnose debug flow filter addr 10.143.0.5
diagnose debug flow trace start 1000
id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735-

>10.143.0.5:5001) from port5."
id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"
id=20085 trace_id=11 msg="exceeded shaper limit, drop"
Session list details with dual traffic shaper
When a security policy has a different traffic shaper for each direction, it's reflected in the session list output from
the CLI:
diagnose system session list
session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock

flag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec
reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec
ha_id=0 hakey=44020
policy_dir=0 tunnel=/
state=may_dirty rem os rs
statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0
hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)
hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)
pos/(before,after) 0/(0,0), 0/(0,0)

Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortigate Traffic Shaping 60

Uploaded by

Copyright:

Available Formats

Fortigate Traffic Shaping 60

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate Traffic Shaping 60

Uploaded by

Copyright:

Available Formats

What are the main topics covered in the document?

What are the main topics covered in the document?

How does traffic shaping work on FortiGate devices?

How does traffic shaping work on FortiGate devices?

FortiOS™ Handbook - Traffic Shaping

FORTINET TRAINING AND CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

FortiOS™ Handbook - Traffic Shaping

Date Change description

Traffic Shaping for FortiOS 6.0.0 5

The following chapters are included in this document:

Examples provides basic application scenarios for traffic shapers.

What's new in FortiOS 6.0

l "Interface-based traffic shaping" on page 32

Traffic Shaping for FortiOS 6.0.0 6

Traffic Shaping for FortiOS 6.0.0 7

Traffic policing Drops packets that don't conform to bandwidth limitations

8 Traffic Shaping for FortiOS 6.0.0

A similar CLI command is available that can be performed on egress:

Bandwidth guarantee, limit, and priority interactions

l Administrative access traffic will always use queue 0.

Traffic Shaping for FortiOS 6.0.0 9

10 Traffic Shaping for FortiOS 6.0.0

Traffic Shaping for FortiOS 6.0.0 11

Calculation and regulation of packet rates

where rate is expressed in Kbps

12 Traffic Shaping for FortiOS 6.0.0

Bursts and bandwidth limits over time

Traffic Shaping for FortiOS 6.0.0 13

99.999 (50 + 49.999) 1 99.999

... ... ...

14 Traffic Shaping for FortiOS 6.0.0

Configuration considerations include:

Traffic Shaping for FortiOS 6.0.0 15

16 Traffic Shaping for FortiOS 6.0.0

Traffic shaping options

l Shared policy shaping - bandwidth management by security policies

l Application control traffic shaper

Traffic Shaping for FortiOS 6.0.0 17

Shared policy traffic shaping

For all policies using a traffic shaper

18 Traffic Shaping for FortiOS 6.0.0

Maximum and guaranteed bandwidth

Traffic shaping policy order

Traffic Shaping for FortiOS 6.0.0 19

Traffic shaping policy configuration settings

Source *all (default)

Destination *all (default)

Service *ALL (default)

- Choose an application category to apply traffic shaping to a specific

Application - Choose an application to specify which applications you want to apply

- Choose a URL category to block a subset of applications. For example,

Set Apply shaper to the following:

Choose one of the default shared traffic shapers: guarantee-100kbps, high-

Enable a per-IP traffic shaper if you want to apply traffic shaping by

To create the traffic shaping policy - CLI:

20 Traffic Shaping for FortiOS 6.0.0

VLAN, VDOM, and virtual interfaces

Shared traffic shaper configuration settings

Type Select Shared.